View
6
Download
0
Category
Preview:
Citation preview
On the propagation of a�ne relations through an Sbox
Christina Boura and Anne Canteaut
SECRET Project-Team, INRIA Paris-Rocquencourt
Gemalto, France
October 8, 2012
1 / 25
Outline
1 Description of Hamsi-256
2 Thomas Fuhr's attack
3 Improvement of the attack
4 (v, w)-linear functions
2 / 25
Description of Hamsi-256
Outline
1 Description of Hamsi-256
2 Thomas Fuhr's attack
3 Improvement of the attack
4 (v, w)-linear functions
3 / 25
Description of Hamsi-256
Hamsi Hash Function
Designed by Özgül Küçük in 2008 for the SHA-3 competition.Selected by NIST for the 2nd round (14 candidates).
Compression function of Hamsi-256
message block
chain valuemessage block
256-bit 256-bit
chain value
Concatenation
32-bit
Permutation P
4 / 25
Description of Hamsi-256
Concatenation
State : 4× 4 matrix of 32-bit words
s0
s5
s10
s15
s1 s2 s3
s6
s11
s4
s9
s14
s8
s12 s13
s7
m0
m2
m4 m5
m1
m3
m6 m7
c0 c1
c2 c3
c4 c5
c6 c7
5 / 25
Description of Hamsi-256
Permutation P
3 rounds of a 512-bit round permutation R
XOR of constants
Substitution by 4× 4-bit Sboxes
Di�usion by a linear transformation L
6 / 25
Description of Hamsi-256
Substitution
128 parallel applications of a 4× 4 Sbox SS is a Serpent Sbox
S = {8, 6, 7, 9, 3, 12, 10, 15, 13, 1, 14, 4, 0, 11, 5, 2}
7 / 25
Description of Hamsi-256
Di�usion
4 parallel applications of a linear function L
L : F1282 → F128
2
L(a, b, c, d) = (a′, b′, c′, d′),
a
b
c
d
a′
b′
c′
d′
Each bit of a′ and c′ is the XOR of 7 bits of a, b, c, d.
Each bit of b′ and d′ is the XOR of 3 bits of a, b, c, d.
8 / 25
Thomas Fuhr's attack
Outline
1 Description of Hamsi-256
2 Thomas Fuhr's attack
3 Improvement of the attack
4 (v, w)-linear functions
9 / 25
Thomas Fuhr's attack
First second preimage attack against Hamsi-256 by Thomas Fuhr(Asiacrypt 2010)
Idea:
Find some output bits which can be expressed as an a�ne function ofsome inputs bits when the other input bits are �xed to any arbitrary value.
Build the linear system.
Solve the system (�nd preimages for the compression function).
Use a meet-in-the-middle algorithm to extend these pseudo-preimagesto second preimages for the hash function.
10 / 25
Thomas Fuhr's attack
Description of the attack in [Fuhr10]
Important property of S
S(1, x, 0, x̄) = (1, 0, 0, x) ∀x ∈ F2
Fix Nvar positions i = 1, . . . , Nvar (here Nvar = 4).
Choose a message block m such that si0 = 1 (resp. si1 = 1) andsi8 = 0 (resp. si8 = 1).
Consider Nvar variables xi, i = 1, . . . , Nvar.
11 / 25
Thomas Fuhr's attack
Description of the attack in [Fuhr10]
Important property of S
S(1, x, 0, x̄) = (1, 0, 0, x) ∀x ∈ F2
Fix Nvar positions i = 1, . . . , Nvar (here Nvar = 4).
Choose a message block m such that si0 = 1 (resp. si1 = 1) andsi8 = 0 (resp. si8 = 1).
Consider Nvar variables xi, i = 1, . . . , Nvar.
1
0
1
0
1 1
0 0
11 / 25
Thomas Fuhr's attack
Description of the attack in [Fuhr10]
Important property of S
S(1, x, 0, x̄) = (1, 0, 0, x) ∀x ∈ F2
Fix Nvar positions i = 1, . . . , Nvar (here Nvar = 4).
Choose a message block m such that si0 = 1 (resp. si1 = 1) andsi8 = 0 (resp. si8 = 1).
Consider Nvar variables xi, i = 1, . . . , Nvar.
1
0
x1
x1
1
0
1 1
0 0
x2
x2
x3
x3
x4
x4
11 / 25
Thomas Fuhr's attack
1
0
x1
x1
1
0
1 1
0 0
x2
x2
x3
x3
x4
x4
x1 x2 x3 x4
1 1 11
0
0
0
0
0
0
0
0
Sboxes
Linear Layer
After the �rst round, the state is linear in the input variables, forany choice of the other constants.
12 / 25
Thomas Fuhr's attack
1
0
x1
x1
1
0
1 1
0 0
x2
x2
x3
x3
x4
x4
x1 x2 x3 x4
1 1 11
0
0
0
0
0
0
0
0
Sboxes
Linear Layer
After the �rst round, the state is linear in the input variables, forany choice of the other constants.
12 / 25
Thomas Fuhr's attack
4 di�erent situations
All the input bits are constant.
S
c
c
c
c c
c
c
c
All output bits are constant.
13 / 25
Thomas Fuhr's attack
4 di�erent situations
At most one input bit depends on one variable (or a a�necombination of variables).
S
c
x3
c
c A(x3)
A(x3)
A(x3)
A(x3)
All output bits are an a�ne combination of this variable.
13 / 25
Thomas Fuhr's attack
4 di�erent situations
At least two input bits depend on the same variable (or the samea�ne combination of variables).
S
c
x3
c
x3 A(x3)
A(x3)
A(x3)
A(x3)
All output bits are an a�ne combination of this variable.
13 / 25
Thomas Fuhr's attack
4 di�erent situations
At least two input bits depend on at least two di�erent variables.
S
c
x3
c
x5
?
?
?
?
13 / 25
Thomas Fuhr's attack
4 di�erent situations
At least two input bits depend on at least two di�erent variables.
S
c
x3
c
x5
?
?
?
?
Are all output bits non-linear?
13 / 25
Thomas Fuhr's attack
Two properties of S noticed by Thomas Fuhr
y0 is of degree at most 1 if x0x2 is of degree at most 1.
y3 is of degree at most 1 if x1x3 and x0x1x2 are of degree at most 1.
y0 = x0x2 + x1 + x2 + x3
y1 = x0x1x2 + x0x1x3 + x0x2x3 + x1x2 + x0x3 + x2x3 + x0 + x1 + x2
y2 = x0x1x3 + x0x2x3 + x1x2 + x1x3 + x2x3 + x0 + x1 + x3
y3 = x0x1x2 + x1x3 + x0 + x1 + x2 + 1.
14 / 25
Thomas Fuhr's attack
Two properties of S noticed by Thomas Fuhr
y0 is of degree at most 1 if x0x2 is of degree at most 1.
y3 is of degree at most 1 if x1x3 and x0x1x2 are of degree at most 1.
y0 = x0x2 + x1 + x2 + x3
y1 = x0x1x2 + x0x1x3 + x0x2x3 + x1x2 + x0x3 + x2x3 + x0 + x1 + x2
y2 = x0x1x3 + x0x2x3 + x1x2 + x1x3 + x2x3 + x0 + x1 + x3
y3 = x0x1x2 + x1x3 + x0 + x1 + x2 + 1.
14 / 25
Thomas Fuhr's attack
Two properties of S noticed by Thomas Fuhr
y0 is of degree at most 1 if x0x2 is of degree at most 1.
y3 is of degree at most 1 if x1x3 and x0x1x2 are of degree at most 1.
y0 = x0x2 + x1 + x2 + x3
y1 = x0x1x2 + x0x1x3 + x0x2x3 + x1x2 + x0x3 + x2x3 + x0 + x1 + x2
y2 = x0x1x3 + x0x2x3 + x1x2 + x1x3 + x2x3 + x0 + x1 + x3
y3 = x0x1x2 + x1x3 + x0 + x1 + x2 + 1.
Results (PhD of T. Fuhr)
16 a�ne equations on 8 variables.11 a�ne equations on 9 variables.9 a�ne equations on 10 variables.
14 / 25
Improvement of the attack
Outline
1 Description of Hamsi-256
2 Thomas Fuhr's attack
3 Improvement of the attack
4 (v, w)-linear functions
15 / 25
Improvement of the attack
An equivalent notation
y0 is of degree at most 1 if x0x2 is of degree at most 1.ww�y0 is of degree at most 1 if x ∈ V ⊥ ⊂ F4
2 with V = 〈1〉 , V = 〈4〉 orV = 〈5〉, or to any coset of these hyperplanes.
y3 is of degree at most 1 if x1x3 and x0x1x2 are of degree at most 1.ww�y3 is of degree at most 1 if x belongs to any coset of V ⊥ ⊂ F4
2 withV = 〈1, 2〉 , V = 〈2, 4〉 or V = 〈2, 5〉.
16 / 25
Improvement of the attack
An equivalent notation
y0 is of degree at most 1 if x0x2 is of degree at most 1.ww�y0 is of degree at most 1 if x ∈ V ⊥ ⊂ F4
2 with V = 〈1〉 , V = 〈4〉 orV = 〈5〉, or to any coset of these hyperplanes.
y3 is of degree at most 1 if x1x3 and x0x1x2 are of degree at most 1.ww�y3 is of degree at most 1 if x belongs to any coset of V ⊥ ⊂ F4
2 withV = 〈1, 2〉 , V = 〈2, 4〉 or V = 〈2, 5〉.
16 / 25
Improvement of the attack
We have identi�ed many such relations for S with dimV = 2
〈1, 2〉 {1, 6, 7, 8, 9, e, f}〈1, 4〉 {1, e, f}〈1, 6〉 {1, 4, 5, a, b, e, f}〈1, 8〉 {1, e, f}〈1, a〉 {1, 2, 3, c, d, e, f}〈1, c〉 {1, e, f}〈1, e〉 {1, e, f}〈2, 4〉 {1, 8, 9}〈2, 5〉 {1, 8, 9}〈2, 8〉 {e}〈2, 9〉 {e}〈2, d〉 {f}〈3, 4〉 {1, 6, 7}...
...
35 properties in total
17 / 25
Improvement of the attack
We have identi�ed many such relations for S with dimV = 2
〈1, 2〉 {1, 6, 7, 8, 9, e, f}〈1, 4〉 {1, e, f}〈1, 6〉 {1, 4, 5, a, b, e, f}〈1, 8〉 {1, e, f}〈1, a〉 {1, 2, 3, c, d, e, f}〈1, c〉 {1, e, f}〈1, e〉 {1, e, f}〈2, 4〉 {1, 8, 9}〈2, 5〉 {1, 8, 9}〈2, 8〉 {e}〈2, 9〉 {e}〈2, d〉 {f}〈3, 4〉 {1, 6, 7}...
...
35 properties in total
17 / 25
Improvement of the attack
Improvement of the attack of [Fuhr10]
1. Use these properties to search for a�ne propagation of the inputvariables through the 2nd and the 3rd round.
2. Use the following relations of S to go through the 1st round.
S(1, x, 0, x̄) = (1, 0, 0, x) ∀x ∈ F2
S(1, x, 0, x) = (0, x, 1, 0) ∀x ∈ F2
3. Track backwards the propagation of the output bits to �x the inputvariables.
Results
13 a�ne equations on 9 variables.11 a�ne equations on 10 variables.
18 / 25
Improvement of the attack
Improvement of the attack of [Fuhr10]
1. Use these properties to search for a�ne propagation of the inputvariables through the 2nd and the 3rd round.
2. Use the following relations of S to go through the 1st round.
S(1, x, 0, x̄) = (1, 0, 0, x) ∀x ∈ F2
S(1, x, 0, x) = (0, x, 1, 0) ∀x ∈ F2
3. Track backwards the propagation of the output bits to �x the inputvariables.
Results
13 a�ne equations on 9 variables.11 a�ne equations on 10 variables.
18 / 25
Improvement of the attack
Improvement of the attack of [Fuhr10]
1. Use these properties to search for a�ne propagation of the inputvariables through the 2nd and the 3rd round.
2. Use the following relations of S to go through the 1st round.
S(1, x, 0, x̄) = (1, 0, 0, x) ∀x ∈ F2
S(1, x, 0, x) = (0, x, 1, 0) ∀x ∈ F2
3. Track backwards the propagation of the output bits to �x the inputvariables.
Results
13 a�ne equations on 9 variables.11 a�ne equations on 10 variables.
18 / 25
Improvement of the attack
Improvement of the attack of [Fuhr10]
1. Use these properties to search for a�ne propagation of the inputvariables through the 2nd and the 3rd round.
2. Use the following relations of S to go through the 1st round.
S(1, x, 0, x̄) = (1, 0, 0, x) ∀x ∈ F2
S(1, x, 0, x) = (0, x, 1, 0) ∀x ∈ F2
3. Track backwards the propagation of the output bits to �x the inputvariables.
Results
13 a�ne equations on 9 variables.11 a�ne equations on 10 variables.
18 / 25
(v, w)-linear functions
Outline
1 Description of Hamsi-256
2 Thomas Fuhr's attack
3 Improvement of the attack
4 (v, w)-linear functions
19 / 25
(v, w)-linear functions
The notion of (v, w)-linearity
De�nition
Let S be a function from Fn2 into Fm2 . Then, S is said to be (v, w)-linear ifthere exist two subspaces V ⊂ Fn2 and W ⊂ Fm2 with dimV = v anddimW = w such that, for all λ ∈W , Sλ has degree at most 1 on allcosets of V , where Sλ is the Boolean function x 7→ λ · S(x).
We used that the Sbox of Hamsi is (3, 2)-linear for some (V,W ), and thatit is (2,2)-linear for many (V,W ).
20 / 25
(v, w)-linear functions
Link with the Maiorana-McFarland construction
A function S from Fn2 into Fm2 is (v, w)-linear if the function SW thatcorresponds to all the components Sλ , λ ∈W can be written as
SW (u, v) = M(u)v +G(u),
where U × V = Fn2 , G is a function from U in Fw2 and M(u) is a w × vbinary matrix.
Generalisation of the Maiorana-McFarland construction
The degree of each Sλ is at most dimU + 1 = n+ 1− v.
21 / 25
(v, w)-linear functions
Link with the Maiorana-McFarland construction
A function S from Fn2 into Fm2 is (v, w)-linear if the function SW thatcorresponds to all the components Sλ , λ ∈W can be written as
SW (u, v) = M(u)v +G(u),
where U × V = Fn2 , G is a function from U in Fw2 and M(u) is a w × vbinary matrix.
Generalisation of the Maiorana-McFarland construction
The degree of each Sλ is at most dimU + 1 = n+ 1− v.
21 / 25
(v, w)-linear functions
Boolean functions that are equivalent to the Maiorana-McFarlandconstruction can be characterized by their second-order derivatives.(Similar for vectorial functions)
Proposition
Let S be a function from Fn2 into Fm2 . Then, S is (v, w)-linear if and onlyif there exists a subset of w independent components of S,SW = (Si1 , . . . , Siw), and a linear subspace V of dimension v such that allsecond-order derivatives of SW , DαDβSW with α, β ∈ V vanish.
Easy algorithm for �nding all (v, w)-linear subspaces.
22 / 25
(v, w)-linear functions
Boolean functions that are equivalent to the Maiorana-McFarlandconstruction can be characterized by their second-order derivatives.(Similar for vectorial functions)
Proposition
Let S be a function from Fn2 into Fm2 . Then, S is (v, w)-linear if and onlyif there exists a subset of w independent components of S,SW = (Si1 , . . . , Siw), and a linear subspace V of dimension v such that allsecond-order derivatives of SW , DαDβSW with α, β ∈ V vanish.
Easy algorithm for �nding all (v, w)-linear subspaces.
22 / 25
(v, w)-linear functions
Link with non-linearity
Proposition
Let S be a function from Fn2 into Fm2 . If S is (v, w)-linear, then S has wweakly v-normal coordinates. In particular, L(S) ≥ 2v.
23 / 25
(v, w)-linear functions
(n− 1, 1)-linear functions
Proposition
Let f be a Boolean function of n variables. Then, f is (n− 1, 1)-linear ifand only if deg f ≤ 2 and L(f) ≥ 2n−1. Moreover, if deg(f) = 2 andL(f) ≥ 2n−1, there exist exactly 3 distinct hyperplanes H such that f hasdegree at most 1 on both H and H̄.
Remark : The number of subspaces for which S is (n− 1, 1)-linear isdetermined by the number of the quadratic components of S.
24 / 25
(v, w)-linear functions
(n− 1, 1)-linear functions
Proposition
Let f be a Boolean function of n variables. Then, f is (n− 1, 1)-linear ifand only if deg f ≤ 2 and L(f) ≥ 2n−1. Moreover, if deg(f) = 2 andL(f) ≥ 2n−1, there exist exactly 3 distinct hyperplanes H such that f hasdegree at most 1 on both H and H̄.
Remark : The number of subspaces for which S is (n− 1, 1)-linear isdetermined by the number of the quadratic components of S.
24 / 25
(v, w)-linear functions
Classi�cation of 4× 4 Sboxes
A 4× 4 Sbox S with optimal linearity (L(S) = 8) has 0, 1, 3, or 7quadratic components.
Sboxes with 15 quadratic components have one linear component.
Sboxes with 7 quadratic components are not optimal againstdi�erential cryptanalysis.
Merci pour votre attention !
25 / 25
(v, w)-linear functions
Classi�cation of 4× 4 Sboxes
A 4× 4 Sbox S with optimal linearity (L(S) = 8) has 0, 1, 3, or 7quadratic components.
Sboxes with 15 quadratic components have one linear component.
Sboxes with 7 quadratic components are not optimal againstdi�erential cryptanalysis.
Merci pour votre attention !
25 / 25
Recommended